Class Action Fishing: Apple Sued Over Third Party User Tracking

from the seems-like-a-stretch dept

One of those class action specialist lawsuit firms, who seem to file lawsuits mostly designed to make the lawyers money, rather than correct any sort of improper actions, has sued Apple and some app makers over supposed privacy violations. At issue is the fact that some apps pass on the unique UDID code that is associated with each iPhone to advertisers. This lets advertisers track the same user across multiple apps -- similar, in some sense, to a browser cookie. The "difference" is that a browser cookie is deletable, while you're stuck with your UDID. This all came out a couple weeks ago in a WSJ article, and since these kinds of lawyers are opportunists, they're always quick to jump on any lawsuit opportunity whenever the press highlights a story like this.

Not surprisingly, it appears this case is yet another attempt to abuse the CFAA (Computer Fraud and Abuse Act), which is generally thought of as an anti-hacking law, but which is continulously stretched and abused to pull in other situations. In this case, the lawyers are claiming that accessing the UDID without permission is the equivalent of accessing a computer without authorization. Think about that for a second and then realize how silly this is. No one is hacking anything to get this info. The info is made available, and so it's been shared. Using the CFAA here is ridiculous. They also seek to use a similar California anti-hacking law in a similar way. This is clearly not what those laws are intended for.

Furthermore, it seems silly to blame Apple for the way that some app providers are sharing data. To get around this issue, the lawyers rely on two key points. First, that Apple itself recently changed its terms to ban apps from sending data to third parties such as ad networks. Of course, most people realized this was not about protecting privacy, but about forcing developers to use Apple's own ad platform. Second, the fact that Apple approves each of the apps in the marketplace. I know that some people assume this automatically adds liability to Apple for anything those apps do, but that seems like a bit of a stretch as well. It's ridiculous to assume that Apple tests all aspects of an app, and thus becomes liable for anything those apps do.

All in all this looks like yet another attempt by some lawyers to take some fear mongering and make some money out of it. It's not going to do anything to protect anyone's actual privacy.

Seems to me that this has the potential to prevent apps from UDID, which would in fact improve privacy, if only in this case. Apple in fact does examine many aspects of what apps do, as it has rejected many apps for far less invasive practices. It would be trivial to have an app detected as requesting this unique ID.

While this country is beyond suit-happy, does techdirt have another option in terms of changing corporate behavior rather than threat of monetary loss?

I'm afraid I disagree on this one. If Apple didn't take the heavy handed approach to app approval, then you could make a case for absolving them of responsibility in this. However, I think they are in it up to their eyeballs having put their stamp of approval on these invasive apps. I believe Android would have a stronger case for being absolved of liability because of their 'you choose' approach.

Perhaps I'm not quite as trusting of companies mining my data in a way that I don't have oversight on, and I think I still prefer an 'opt-in' choice rather than 'opt-out', and I personally have found Apple's attitude a bit too invasive to make me comfortable. Granted, their corporate policy is their choice, by my choice not to agree with it is mine.

Re: Re:

Agreed. There's no need to criminalize stupid business decisions on either side of the equation. Whether the decision is sticking with models that are being harmed by foolish resistance to change or making changes that piss off the customers. The market can and will sort out almost any instance of uncommon stupidity if simply left alone.

I had a link...

I will try and post it from home. i can't access it from here at work. Some of the issue is that part of making an app for that, was Apple actually states that for a program to be accepted it must follow guidelines, the guidelines state that no information should be passed onto 3rd parties unless that information is needed for the app to function. (such as my roommate has an app for him to get information on items she buys to see if there are coupons or sales going on anywhere nearby simply by scanning a barcode. the barcode can be sent to 3rd parties such as stores who participate in this app but her personal info such as her ID or her current location cannot be passed along). The problem is Apple is doing a piss-poor job of policing this and can end up causing more security issues (such as location spam and the like). The makers of some of these things are also listed as defendants such as the weather channel APP and some app where you can pet some cat in the belly and punch him knocking him out...There were a few others listed in the article (I think it was on CNET but not positive)

I think Apple is on the hook because they specifically made this possible, and approved apps that take advantage of the "feature". It would be something that could possibly be changed in the OS that would no longer expose this critical information so easily to apps. It is an entirely unique identifier that makes the phone "tracked for life". Combine that in an app with perhaps a user signup for a site, and you could have all of their personal information and make each phone personally identifiable.

Techdirt, Get Your Facts Straight

Techdirt, don't you guys ever do research on your articles before you publish them? I'm a repeat visitor and I love your articles but this is one time where your writer forgot to do his or her homework.

First, the lawsuit was filed by the co-founder of Microsoft, Paul Allen, who is NOT a patent troll.

Second, he filed the lawsuit against "several" companies who are violating the same patents that Paul Allen owns. Aol, Apple, eBay, Facebook, Google, Netflix, Office Depot, OfficeMax, Staples, Yahoo and YouTube are all companies who are named in the lawsuit.

Third: The lawsuits involved:

-- U.S. Patent No. 6,263,507, for "Browser for Use in Navigating a Body of Information, With Particular Application to Browsing Information Represented By Audiovisual Data."

-- U.S. Patent No. 6,034,652, for "Attention Manager for Occupying the Peripheral Attention of a Person in the Vicinity of a Display Device."

-- U.S. Patent No. 6,788,314, for "Attention Manager for Occupying the Peripheral Attention of a Person in the Vicinity of a Display Device."

-- U.S. Patent No. 6,757,682, for "Alerting Users to Items of Current Interest."

Re: Re: Techdirt, Get Your Facts Straight

He received but actually don't produce anything, he failed to come to the market and want to extract a rent for more successful entrepreneurs which makes him a patent troll.

That aside not sure why he is bringing this to this thread since what he posted here has nothing to do with what is being discussed, it is not about patents, it is about privacy or did I miss something.

Techdirt, Get Your Facts Straight

Fact is, that it really doesn't matter whether he's a patent troll or not. He received his patents back in the 90's, which, according to Slashdot articles and Google searches, benefited Microsoft and Google.

Now that multiple companies are abusing his patents, without paying for the right to use those patents, everyone's saying he doesn't have a right to request compensation from the courts?

That's akin to saying that if I'm in my yard and the neighbor's dog broke free from his yard and came over iinto my property and bit me that I don't have the right to sue.

Believe what you want, but a patent is akin to property. If you want to use that "property" then you have to ask permission to use it. If you use that "property" without permission or without compensation then you accept the responsibility that comes from the illegal use of that "property."

The one thing that Paul Allen might have going for him is his connection to Microsoft and the fact is that there's a likely possibility that he's going to win.

Re:

I'm afraid I disagree on this one. If Apple didn't take the heavy handed approach to app approval, then you could make a case for absolving them of responsibility in this. However, I think they are in it up to their eyeballs having put their stamp of approval on these invasive apps. I believe Android would have a stronger case for being absolved of liability because of their 'you choose' approach.

I agree that Apple has a higher likelihood of liability because they do take on some responsibility for approving apps. But I'm troubled by the suggestion that if you review *some* aspects of an app, you've now taken on liability for *all* aspects of that app.

In the case law around things like Section 230, this sort of argument has generally been rejected. That is, in the case law, if you (for example) moderate comments on an email list, it does not make you responsible for libelous messages that others wrote, but which you approved.

I would think the same thing applies here.

Perhaps I'm not quite as trusting of companies mining my data in a way that I don't have oversight on, and I think I still prefer an 'opt-in' choice rather than 'opt-out', and I personally have found Apple's attitude a bit too invasive to make me comfortable. Granted, their corporate policy is their choice, by my choice not to agree with it is mine.

I agree, but that's a market choice. I'm not sure this lawsuit should apply.

Re: If you create a walled garden

But since they are looking at every product and vendor that enters the market they accept full responsibility for everything, good or bad.

Again, as I stated above, I don't believe this makes sense, and I don't believe it's how the law views things. If you look at the caselaw on Section 230, it does say that if you're a service provider who reviews *some* aspects of content that you moderate, it does not make you liable for everything in that content.

I think it's a leap to say because Apple reviews apps to make sure they work, it means they also take responsibility for sneaky things the apps do. Think through the implications of that.

Re: Techdirt, Get Your Facts Straight

Techdirt, don't you guys ever do research on your articles before you publish them? I'm a repeat visitor and I love your articles but this is one time where your writer forgot to do his or her homework.

Kinda funny to call us out on not doing our research when your comment is about an entirely unrelated lawsuit.

Re:

Consumer pressure on Apple and on developers could certainly minimize the use of UDIDs, and Apple would likely eventually add a developer guideline banning the practice, and then they would add that check to their standard roster of tests (though whether or not there really is a consistent standard for the app store is debatable)

The point is not that accessing the UDIDs is a good thing, but that it's probably not an illegal thing - and it's definitely not in violation of anti-hacking laws. If these lawyers want to pore over all the contracts and licenses and EULAs involved and show that a law actually was broken, then they are free to do so - but they should not twist a law that was clearly never intended to apply to situations like this just so they can launch a class-action.

Abuse of the law can sometimes bring desirable short-term effects, but in the long run it is always bad.

Re: If you create a walled garden

I do see your point, but I think Mike is right that liability doesn't just become absolute.

Lets say you run a market, and you check every product and vendor. You check them against your health and safety standards, and to ensure they aren't selling counterfeit goods or stolen property, then you let them in.

Certainly you could be liable if they violated the things you specifically checked for. But are you also liable if they turn out to be doing something else entirely? Maybe constructing an illegal mailing list of their customers, or making unauthorized recordings of their conversations with them? It wouldn't make sense for your liability to extend to something you never took any responsibility for in the first place.

Re: Re: If you create a walled garden

Apple by design makes the ID number available to third party apps. By design, the phone is allowing this sort of violation. That Apple approved apps inside their walled garden that obtained this number and distributed it to others is a clear violation of privacy rights.

It would appear that Apple's flawed design allowed this to happen. Their walled garden approach on Apps only makes this worse, because they would be aware of what each app was doing. So they set up the situation to allow for violation of privacy, and then did nothing to stop it (and appear to have approved it on a number of apps).